[00:01.120 --> 00:03.280]  Can you guys hear me now?
[00:06.500 --> 00:17.360]  Alright, so hello everyone. I'm 800XL. As already mentioned, I'm with DEF CON group 619858, San Diego.
[00:17.880 --> 00:20.560]  And just a few quick fun facts about me.
[00:21.640 --> 00:29.420]  The first ever hacking movie they ever saw in the mid-80s was WarGames. If you haven't seen it, you should watch it.
[00:29.940 --> 00:38.420]  My first computer, and also inspiration for my handle, was Atari 800XL, which I received at the age of 15.
[00:38.420 --> 00:44.320]  And that was quite a life-changing event for me that shaped my interests and passions going forward.
[00:45.260 --> 00:54.300]  Just a quick note about Atari 800XL, just to put things into perspective, it was an 8-bit computer with 64K of memory.
[00:54.500 --> 00:56.620]  And that's how I learned how to program.
[00:58.100 --> 01:06.720]  My first DEF CON, and it's been quite a while since then, was DEF CON 14, and that was at the Riviera Hotel and Casino.
[01:06.720 --> 01:12.400]  I believe the casino is no longer around, it's been demolished. And that was back in 2006.
[01:13.780 --> 01:22.800]  Now, the thing about DEF CON, the first DEF CON, I clearly remember driving back home with a bit of sadness that the event was over.
[01:22.800 --> 01:31.240]  And dreading, you know, how many months it will be before I can come back to Las Vegas and attend the next DEF CON conference the following year.
[01:31.680 --> 01:38.720]  And, you know, as it turned out, DEF CON Groups was a perfect remedy for that. And we'll get to that in a bit.
[01:48.500 --> 01:50.960]  So, a little bit about San Diego.
[01:52.340 --> 02:00.960]  For those of you who don't know much about San Diego, it's located in Southland, California, on the border of Mexico.
[02:01.540 --> 02:07.660]  And it is the 8th largest city in the United States, with population approaching 1.5 million.
[02:08.680 --> 02:12.940]  We are known for great microclimates, and it's, you know, beautiful beaches.
[02:14.620 --> 02:20.640]  But, you know, to be honest, I only go to the beach like 5 times a year, even though it's close.
[02:21.700 --> 02:26.400]  And, as you know, DEF CON Group names are designated by dialing area codes.
[02:26.400 --> 02:35.380]  And in San Diego, the original dialing code was 619, and we also have 858 and 760, which is like a North County.
[02:36.360 --> 02:49.700]  And another fun fact is that we are 534 kilometers from Las Vegas, which means that, you know, when DEF CON conference is on, it takes about 5 hours, you know, drive to get there.
[02:49.700 --> 02:52.160]  Or you can fly, and that takes like 30 minutes.
[02:57.180 --> 02:58.920]  Group history.
[03:00.440 --> 03:05.920]  The DEF CON Group 858 was originally founded by Techlord.
[03:05.920 --> 03:15.060]  I've actually never met him in person, but I did read about the group on DEF CON forums after I went to DEF CON first time in 2006.
[03:15.660 --> 03:23.940]  And I was involved in DEF CON Group 619, which was founded by Renan01, Carl.
[03:23.940 --> 03:30.460]  He founded the group in 2007. Unfortunately, that group fell apart.
[03:31.580 --> 03:43.420]  In 2009 and 2012, there was no activity from DEF CON Groups, and I decided in December of 2013 that it was time to revive it from an activity.
[03:43.520 --> 03:49.040]  And, you know, we've been going very strong since then. We are approaching our 7-year anniversary.
[03:51.800 --> 04:13.120]  Our DEF CON Group leadership, you know, the responsibilities include organizing and running the meetings, organizing various events, a DEF CON party that we have annually, solicit people for talks, which is probably the hardest part, manage social media presence, order pizza for the meetings, etc.
[04:14.340 --> 04:30.900]  The three key people and other organizers for our group is Mr. Bill. He specializes in our social media and Twitter and Twitch, Braxis, and Tokso. Shout out to you guys.
[04:32.120 --> 04:45.740]  There was a pandemic... which is in the North County of San Diego.
[04:45.940 --> 04:52.980]  And on average, we had approximately 30 attendees at each meeting, sometimes even approaching as many as 40.
[04:53.600 --> 05:02.380]  Currently, because of social distancing guidelines, which we follow, we conduct our meetings on Zoom.
[05:02.560 --> 05:05.820]  We also stream the meetings to Twitch.
[05:07.040 --> 05:20.360]  Every week, Mr. Bill also organizes virtual happy hours. In between meetings, we collaborate on Slack. Our Slack has approximately 190 members.
[05:21.560 --> 05:30.240]  Our team at VaporSec competes in various CTFs, and that's pretty much on a weekly basis. It's a very active group.
[05:30.240 --> 05:43.400]  We have had occasional workshops. At least twice a year, we have Lockpicking Village. We also have done a wireless workshop in the past.
[05:43.960 --> 05:50.280]  Now, one other fun thing to do for us is, usually around December, we have a crap meet.
[05:50.280 --> 05:57.520]  This is when members bring books, electronics, any kind of cool unwanted items for exchange or just give away.
[05:57.520 --> 06:01.460]  Usually, we come with more stuff than members.
[06:03.800 --> 06:07.900]  It's a fun event, I recommend for other groups to also have it.
[06:08.940 --> 06:16.020]  Once a year, we organize a party at DEF CON for group members and friends.
[06:17.200 --> 06:23.480]  Hopefully, next year, when we have an in-person DEF CON, ping me, I'll get an invite.
[06:26.880 --> 06:38.480]  Speaking of things that we do, I should mention that two years ago, we had our DC858 electronic badge.
[06:39.460 --> 06:42.760]  The project was led by Elwood and Ager.
[06:43.100 --> 06:49.720]  Thanks to the badge sale process, it was possible to fund the pizza for our monthly group meetings for the entire year.
[06:49.720 --> 07:01.940]  I should also mention that Elwood and Ager made a significant donation on behalf of DC858 to the Women in Security and Privacy organization, which is very cool.
[07:05.580 --> 07:09.860]  I should mention some of the cool talks that we've had in the last 12 months.
[07:12.760 --> 07:16.900]  As you can see, talks cover a variety of topics.
[07:16.900 --> 07:23.300]  We are lucky to have many active contributors in subject matters as members.
[07:23.300 --> 07:33.920]  I should also point out that when we had the meetings in person, we had two to three talks at the same meeting, which is quite busy.
[07:39.120 --> 07:46.120]  Thanks for starting and growing your DEF CON group. I think we are very successful and very active.
[07:46.120 --> 07:50.400]  I recommend advertising on DEF CON forums, which is a good way.
[07:52.080 --> 08:02.720]  However, the activity on DEF CON forums is cyclical. Usually, it's more active, more people visited right before DEF CON and not so much afterwards.
[08:02.780 --> 08:04.980]  But it's a good place to start.
[08:05.580 --> 08:13.080]  And obviously, utilizing social media and Twitter and hoping for DEF CON groups' retweets is a great way to get members to attend your meetings.
[08:13.640 --> 08:21.020]  I also recommend to be very specific and have a topic for the meeting rather than just meet and greet or have beers.
[08:21.020 --> 08:23.660]  I recommend to have a topic of some sort.
[08:23.780 --> 08:28.580]  Don't be afraid to host introductory one-on-one talks. Your talks don't have to be advanced.
[08:28.720 --> 08:38.320]  It's also okay to have a short lightning talk. Maybe bring an idea or a topic to your group or a project that you want to work on.
[08:39.240 --> 08:55.100]  Invite guest speakers. I think now that we have all the groups engaged, it is possible for somebody from a different group to jump in on your Zoom and give a talk as a guest speaker.
[08:55.100 --> 08:56.760]  So you should reach out.
[08:57.980 --> 09:07.080]  You can get an invite to the unofficial DEF CON groups' Discord that we have and ask for guest speakers there.
[09:09.580 --> 09:21.120]  I've already mentioned that having workshops such as lockpicking is a good way to get people interested in your meeting.
[09:21.500 --> 09:29.300]  And also having a craft meet or something like a war driving contest. Simple things that get people interested.
[09:30.680 --> 09:32.360]  Where to meet?
[09:32.360 --> 09:43.780]  We've chosen a local pizzeria which has a private room and a couple TVs where we can project presentations, which is very convenient and also gives us a little bit of privacy.
[09:44.040 --> 09:52.220]  Because we have our own room and I think that particular Wednesday of the month would probably be the biggest revenue for that pizza place.
[09:52.220 --> 09:57.780]  Obviously, that's not possible now since we are following social distancing guidelines and we are doing virtual talks.
[09:57.780 --> 10:01.260]  But when things get back to normal, most likely we'll go back there.
[10:02.460 --> 10:06.360]  Frequency of your meetings. I guess it depends on how much content you have.
[10:06.360 --> 10:13.080]  If you are in a really large group with a lot of talks and a lot of volunteers to give talks, you may want to do it twice a month.
[10:13.080 --> 10:19.500]  But if you have fewer people, maybe quarterly, doing those meetings quarterly is more appropriate.
[10:21.620 --> 10:31.940]  It's very important to keep the momentum going, so definitely set up a chat, Discord or Slack, so your team members can communicate and collaborate in between meetings.
[10:33.300 --> 10:44.660]  Also, don't go at it alone. That will most likely lead to a burnout. Build your leadership team. Distribute responsibilities. Delegate tasks as much as you can.
[10:44.740 --> 10:53.860]  Sometimes real life will take over. You may not be able to participate and you want to keep your group going. It's important that you have other people to fall back on.
[10:54.800 --> 11:04.840]  If you'd like to connect with DEF CON San Diego, you can reach out to us on Twitter, Facebook, watch our Twitch streams, or email us.
[11:07.580 --> 11:21.720]  And that covers the introduction to DEF CON San Diego. Up next, we have a DC-858 member, Smoochie, who will give his talk, so let's welcome him.
[11:21.720 --> 11:35.840]  Hey, Dr. Axelsen. I'm from the San Diego DEF CON group and I'll be giving a presentation on Microsoft, how to save yourself from their Active Directory and Identity and Access Management design.
[11:36.840 --> 11:52.060]  So, with most of my talks, I always like to remind everybody that we are definitely in a privileged group that may get a little numb to the phishing campaigns and the jokes out there.
[11:52.060 --> 12:04.000]  For example, the Nigerian Prince and the IRS calling you. Those are stuff that we make fun of, but people fall victim to it.
[12:04.000 --> 12:14.520]  I personally had to deal with that with my in-laws. Microsoft called them directly and wanted to fix a problem of theirs, and that ultimately caused an issue that I had to help resolve.
[12:15.920 --> 12:27.720]  These things that we're aware of, just speak out about obvious things. Make sure your in-laws, your family that are non-technical, that this isn't something that happens in the real world.
[12:27.720 --> 12:37.700]  Microsoft is not going to reach out to you because you're a valued member. And the IRS is not going to call you and tell you that they're going to sue you if you don't send $100 this very instant.
[12:37.900 --> 12:45.080]  And of course, no main business does any type of commerce in Apple gift cards, so that should be a dead giveaway.
[12:53.090 --> 13:14.750]  In broad strokes, what we're going to talk about is what's wrong with Microsoft, good or bad, and how you can design a system, secure your system, protect your system against these by default settings and design decisions by Microsoft.
[13:14.750 --> 13:21.770]  One of the biggest ones that you need to take into account as you design any system is to always assume a breach.
[13:21.830 --> 13:32.890]  There are no safe zones anymore. With the rapid change of software and hardware that's out there, there are going to be bugs.
[13:32.890 --> 13:42.930]  There are going to be unintended backdoors, there are going to be unintended consequences that no person is going to be able to keep track of.
[13:42.930 --> 13:49.850]  So as you design any system or as you upgrade any system or as you review any system, always assume compromise.
[13:49.850 --> 13:55.510]  Assume that at some point, the thing that you're touching is going to have somebody on it that you don't want to have on it.
[13:55.510 --> 14:09.190]  So how can you help mitigate that concern when it does happen and limit the impact and success that that attacker or anybody who's just making mistakes could have on your environment?
[14:09.190 --> 14:15.030]  And again, it's not an if but a when of when you're going to have some issues.
[14:15.490 --> 14:21.090]  You know, the old adage that script kitties are just out there poking around having fun. That's still the case, right?
[14:21.290 --> 14:29.670]  It doesn't take much to go find tools that are out there. Cali Linux is well advertised.
[14:30.010 --> 14:38.610]  You do a couple of keyword searches into Google and you can find yourself going down a rabbit hole and identifying tools that will just do this for you, right?
[14:39.190 --> 14:46.130]  People are out there unaware of the ethical challenges of banging on the front door of someone's network, right?
[14:46.130 --> 14:52.850]  You can look at the Twitter compromise that just happened. This 17-year-old kid, right?
[14:52.850 --> 15:02.170]  How many years before that was he just playing around before he actually got deep into the SE and the actual phishing aspect?
[15:02.170 --> 15:13.050]  And then separation of duties. So, I know it's very easy to just say, hey, I'm your admin. I need full God rights on everything.
[15:13.150 --> 15:19.590]  Well, that's not how things should be operating, right? You should have very specific controls.
[15:19.590 --> 15:23.410]  You should have separation of those responsibilities.
[15:23.410 --> 15:31.210]  You know, for example, your exchange or email administrator probably shouldn't be the same person as your domain administrator, right?
[15:31.210 --> 15:35.530]  Because the impact that person could have is significant.
[15:35.530 --> 15:42.510]  Now, in smaller shops that you're unable to do this, you can start to separate those duties with accounts.
[15:42.510 --> 15:57.750]  So, you can have an exchange administrator account, your domain administrator account, and your user account just to make sure that any one account or any one person can be audited and does not have that wide blast radius if something does go bad.
[15:58.750 --> 16:07.230]  And when installing anything on your network at home or at work, take into account the install permissions.
[16:07.230 --> 16:14.130]  It's far too easy to say, hey, I need root rights or hey, I need domain admin rights and the installs just go great.
[16:14.130 --> 16:26.190]  But there are unintended consequences with service accounts being created or permissions on files being set up in that process that may cause harm in the future.
[16:29.980 --> 16:42.840]  So, on average, it takes about 24 to 48 hours from the first hour being compromised before someone's able to escalate their privilege to domain administrator or root rights.
[16:43.140 --> 16:51.060]  Now, once that person has domain administrator rights on your network, your network is essentially theirs.
[16:51.830 --> 16:58.120]  For those that are not used to Microsoft and Active Directory, that's full God rights.
[16:58.120 --> 17:07.580]  That's modifying accounts, that's changing passwords, that's removing computers from the domain, that's modifying files, that's anything and everything that they would want to do within the kingdom.
[17:08.320 --> 17:33.150]  And the persistence of a user once they have those... notified or able to identify them normally with tools that are out there in network land today.
[17:33.450 --> 17:38.350]  So, a lot of these things have to have outside help to come identify those.
[17:38.350 --> 17:48.770]  FBI has been reaching out when they've identified traffic from the nation state actors, Russia, Iran, all of those guys.
[17:49.010 --> 17:52.150]  So, a lot of these companies don't even know that they're there.
[17:52.150 --> 17:56.710]  And it's these third parties that come in and say, hey, we've seen this traffic, can you validate that this is valid for your company?
[17:56.710 --> 18:00.650]  Or they confirm that they have actually been compromised.
[18:01.750 --> 18:18.520]  And once those credentials are compromised, they're exfilling data, they're modifying data.
[18:18.520 --> 18:24.460]  So, it's very important that we get a tight rein on those elevated permissions.
[18:26.320 --> 18:33.040]  So, the way that Microsoft does password hashing is not unique to every domain.
[18:33.040 --> 18:38.720]  So, you have a user, the username is user, their password is password1.
[18:38.740 --> 18:47.200]  Well, Microsoft will take that combination of username and password, create a hash based on their algorithm.
[18:47.400 --> 18:55.480]  Either for Landman, which is the old way of authenticating, or NTLM, which is the new land manager.
[18:55.480 --> 18:57.020]  And you get a hash.
[18:57.140 --> 19:05.280]  Now, the great thing is that no matter what domain you're on, that combination will always have the same hash.
[19:05.280 --> 19:19.600]  So, if you're at alt space domain and you put in user1, password1, that hash that you get in NTLM will be the exact same when you go to Microsoft and put in user and password1.
[19:20.030 --> 19:31.160]  Which is an issue in itself, right, because you can start to build this domain knowledge of standard usernames and start to create those passwords.
[19:31.160 --> 19:41.320]  And because Microsoft doesn't solve the passwords, does not create that blank data in it, again, it's not unique across people's domains.
[19:43.020 --> 19:50.220]  So, what can be done and what is available is you can start to calculate these hashes, right?
[19:50.220 --> 19:56.480]  So, for username administrator, password1, that creates a unique hash, password2, password3, password4.
[19:56.480 --> 20:04.240]  And then you can also pull hashes and start to look up within that database or the rainbow table and know what the password is.
[20:04.260 --> 20:09.640]  So, it's not a lot of effort. And again, there are tools out there that do this for you.
[20:09.860 --> 20:17.700]  And basic process for a lot of people, you know, they use the administrator account with the administrator name.
[20:17.700 --> 20:21.560]  They don't change the name itself, right? There's still the guest account.
[20:21.560 --> 20:26.460]  There's still a lot of built-in stuff that they don't change that are pretty consistent across the board.
[20:26.480 --> 20:31.960]  And we're actually going to get into that with one specific account and why that's important.
[20:37.430 --> 20:45.290]  So, taking the passwords and the hashes. So, where can you find outside of having those hashes?
[20:45.290 --> 20:57.050]  So, within group policy objects, people hard code in username and passwords for ease of use, for installation of capabilities, or just out of pure laziness.
[20:57.050 --> 21:01.910]  So, map network drives within those group policy objects.
[21:03.670 --> 21:06.670]  Creating local users, right?
[21:06.670 --> 21:11.990]  Create a local service account on the box that's running a specific application.
[21:11.990 --> 21:17.250]  Well, that password is in clear text most of the time for those accounts.
[21:17.250 --> 21:22.610]  Data sources, printer configurations, update services, schedule tasks.
[21:22.610 --> 21:28.490]  All those require authentication and that password and username have to be stored somewhere.
[21:28.590 --> 21:33.290]  And nine times out of ten, it's going to be stored in clear text within group policy objects.
[21:33.870 --> 21:46.470]  SysVol for batch files. So, if you're able to create a custom batch file to delete a file on logon or to create a folder structure on logoff, that's going to take some credentials.
[21:46.670 --> 21:51.470]  Those passwords are probably within that batch file itself to run.
[21:51.470 --> 22:01.090]  On the domain controller, so you can use volume shadow copy and create a copy of the actual domain database itself, the ntds.dip.
[22:01.210 --> 22:10.190]  And on that same domain controller that you pull that dip file off, the decrypt key is actually in the registry.
[22:10.310 --> 22:16.450]  Now, the good thing is that the decrypt key is tied to the actual machine itself.
[22:16.450 --> 22:30.390]  So, it's not one universal decrypt key for every domain. It's for domain controller one has one decrypt key, domain controller two has a separate one, and they are unique in that regard.
[22:30.550 --> 22:35.870]  And then you can run tools out there. So, hopefully you all are aware of these ones.
[22:35.870 --> 22:42.790]  So, Mimikatz is one of the holy grail tools out there. It kind of does everything. It's a Swiss Army knife for how to take over a domain.
[22:42.990 --> 22:46.430]  That's created and deployed by a general way.
[22:47.490 --> 22:51.850]  There's Cryptman, a powerful script that's pulled by Microsoft.
[22:54.770 --> 23:02.270]  And DCSync, which is a capability for you to basically synchronize data from a domain.
[23:11.610 --> 23:18.750]  So, authentication within Active Directory is pretty straightforward. Kerberos has been around for quite some time.
[23:18.890 --> 23:24.250]  But in broad strokes, you have a view here that says, hey, I need access to something.
[23:24.390 --> 23:31.290]  Here is who I am. The domain controller validates that and says, yep, here's a ticket. You are who you say you are.
[23:31.430 --> 23:39.270]  Workstation says, cool, I want to go do this, get access to this server, go check out this website, whatever is Kerberos enabled.
[23:39.270 --> 23:44.050]  Server says, cool, yep, you are authorized to do that based off your groups and your rights.
[23:44.050 --> 23:51.650]  Send this over to the server, your application server, and you just have that back and forth like TCP packets.
[23:53.170 --> 23:57.150]  Sounds good, right? You have separation of duties within the authentication.
[23:57.150 --> 24:00.170]  You don't have one machine saying who they are or who they say they are.
[24:00.170 --> 24:03.590]  Everybody validates who they are. It's a circle of trust. Everything is great.
[24:03.590 --> 24:12.090]  But those tickets that are created by the domain controller are assigned by a specific account.
[24:12.350 --> 24:18.970]  And that account is the Kerberos ticket granting ticket account.
[24:18.970 --> 24:31.330]  And the hash that it uses for encryption is the hash of that username and password just like Microsoft does for every single account that I talked about before.
[24:31.330 --> 24:46.110]  So, using tools like Mimikatz, you are able to impersonate whoever you want to impersonate once you have that hash of the Kerberos ticket granting ticket.
[24:46.110 --> 24:54.770]  So essentially, you use Mimikatz, you read the domain, which is read-only to every single account on the domain.
[24:54.770 --> 24:58.050]  So as long as you are on the domain, you can read that information.
[24:58.050 --> 25:03.390]  You use Mimikatz. It's a very simple command to pull that hash.
[25:03.390 --> 25:07.370]  Once you have that hash, you use Mimikatz to create that golden ticket.
[25:07.370 --> 25:11.750]  At that point, you are able to sign and create any ticket that you want.
[25:11.910 --> 25:22.350]  So the ticket that would normally go from user station to domain controller saying, hey, I'm an admin. Here's my hash. Give me a ticket that says I can do what I want.
[25:22.470 --> 25:24.190]  That's essentially gone.
[25:24.190 --> 25:31.650]  As the user, you're passing that ticket that says, I'm already authenticated as an administrator. Let me do what I want to do.
[25:33.710 --> 25:38.790]  So, how would this kind of all work in the grand scheme of things?
[25:38.790 --> 25:43.190]  So, starting on the left as patient zero, we'll go through the black.
[25:43.810 --> 25:50.590]  Patient zero is infected. You've clicked on a bad link. You've installed some malware.
[25:50.590 --> 25:55.630]  You're subject to a phishing campaign, whatever the case may be.
[25:56.090 --> 26:04.520]  What are the ramifications of that happening?
[26:04.520 --> 26:09.280]  So, starting in black on the left, they have access to that machine.
[26:09.420 --> 26:12.160]  Well, any good attacker is going to set up a C2.
[26:12.160 --> 26:19.680]  So, they're going to beacon back using some type of remote console, most likely Netcat.
[26:19.680 --> 26:27.040]  But essentially, the traffic is going to initiate from that host out to your command and control center.
[26:27.540 --> 26:35.460]  Once they have that foothold within the machine, on the machine itself, again, it can read all of Active Directory because it's read-only by default.
[26:35.900 --> 26:41.060]  They can start to install keyloggers and look what data is on that local machine.
[26:41.520 --> 26:49.060]  They can also grab the credentials with the LSAT service, which is the service that stores the hashes on every machine.
[26:52.220 --> 26:58.780]  So, what I was saying was, as I talked about in the beginning slides, we're going to design for compromise.
[26:58.780 --> 27:14.140]  We're going to understand that the endpoint is going to be compromised at some point because of zero days, because of phishing, because of all of the multitude of vulnerabilities that are out there that could be used to take over that host.
[27:16.480 --> 27:21.700]  At the very least, somebody shares their username and password, or they put it underneath their keyboard.
[27:21.700 --> 27:24.600]  Whatever the case may be, there's a patient zero.
[27:24.940 --> 27:35.460]  Now, that patient zero machine on your network, that person, any attacker, is going to try and set up a command and control setup.
[27:35.460 --> 27:37.720]  And it's going to be a remote console.
[27:37.720 --> 27:46.640]  So, the communication is going to initiate from that host out to the command and control system, out into the internet.
[27:46.640 --> 27:55.700]  So, most firewalls out there are ports and protocol firewalls, and it's saying, hey, anything initiating from the internet, do not come into my network.
[27:55.700 --> 28:12.850]  Anybody that's saying, hey, I'm 443, going out on 443, 9 times out of 10, that's already permitted.
[28:12.850 --> 28:24.670]  And you're not going to know the difference between them going to Google HTTPS or some other server HTTPS, because there's no break-and-inspect.
[28:24.670 --> 28:29.090]  We're not looking at the traffic, any encryption that happens between the host and server.
[28:29.490 --> 28:37.250]  Once we have that foothold within that host, you're able to pull all of the Active Directory credentials.
[28:37.510 --> 28:42.530]  Sorry, you're able to pull all of the Active Directory information, because Active Directory is read-only.
[28:42.850 --> 28:51.850]  So, you can pull those GPOs, you can pull the usernames, you can understand structures, you can pull your organizational units, your OU structure,
[28:51.850 --> 28:57.970]  and start to build that greater recon on that domain that you're on.
[28:58.210 --> 29:04.670]  And then, of course, actually on the hosts themselves, you can put on key loggers, you can look at the data that's stored on there, and you can pull those credentials.
[29:04.670 --> 29:18.890]  Now, using any type of privilege escalation path, so a vulnerability or an exploit, or that user's already logged in as an administrator, you're able to get admin rights on that box.
[29:19.570 --> 29:30.730]  And so, from there, you're able to pull hashes, you're able to look at active credentials, you can change passwords on the host, you can do anything you want to do on that single host.
[29:30.730 --> 29:40.810]  Now, the money's where you're able to reach out and gain access as a privileged user within the domain.
[29:40.810 --> 29:47.630]  And so, everything that's within the yellow at this point is assumed local user or non-privileged user.
[29:47.930 --> 29:58.650]  When you pass the hash on the host out to another server or system, again, that hash is your username and your password in a single string.
[29:58.650 --> 30:10.770]  And so, the other servers can adjust that and say, yep, give me that hash, great. Pass the hash attacks are well documented out there, and you're able to get access as impersonating that user.
[30:11.070 --> 30:18.490]  Now, the trick for escalation is really nuts and bolts in the separation of duties, right?
[30:18.490 --> 30:27.850]  So, we don't want people logging into their daily driver machines, the machines that they check their email with, the machines that they go to the internet on as a domain admin.
[30:28.810 --> 30:37.610]  Sad to say, that's still very much happening, and I understand why, good or bad, as a domain admin, you can do whatever you want.
[30:37.610 --> 30:44.250]  There's nothing restricting you. You don't have to act for access. Everything's presented to you.
[30:44.990 --> 30:55.510]  From there, you can use tools like Mimikatz to grab credentials, to grab the hashes, and then you can start to create your golden ticket.
[30:55.510 --> 31:01.210]  And at that point, you can impersonate anybody that you want, and your persistence is pretty much guaranteed.
[31:02.630 --> 31:09.770]  So, what do you do about this, right? This is built-in Microsoft capability. They're all about collaboration and integration.
[31:09.770 --> 31:21.510]  So, these are the trade-offs that they've made as a solution to say, we want this to move fast, and we want things to work together quickly, over security.
[31:21.510 --> 31:41.190]  So, as an individual, you can implement break-and-select to get the ability that, say, when you go to https.google.com, you're swapping certificates with that server that says,
[31:41.190 --> 31:48.970]  I am google.com, here's my public key, send me data, we will encrypt this communication.
[31:49.230 --> 31:59.210]  When you pass that through any of your next-generation firewalls, they can't see anything but encrypted HTTPS.
[32:00.590 --> 32:15.820]  This allows for that communication from a host that uses an F5 device to essentially terminate the encryption, so your F5 device essentially impersonates Google.
[32:16.060 --> 32:25.820]  You can see that HTTPS traffic and then move on to encrypting that with the end server that you're communicating with.
[32:25.820 --> 32:28.040]  And that way, you can look at the payload.
[32:28.880 --> 32:46.000]  Now, this is different. Break-and-inspect and TLS offload is different from your normal load balancing, where your load balancing, your host comes in and makes a connection with the F5 device, and then traffic isn't cleared back to your server.
[32:46.000 --> 32:57.740]  So, it's really about what you're looking to protect. Are you protecting your data, users connecting to your stuff, or are you trying to connect your users connecting out to other servers?
[32:58.040 --> 33:08.250]  It's a trade-off that you're going to have to make. There's obviously implications on speed and throughput, and devices like F5 are notoriously expensive.
[33:09.410 --> 33:15.550]  The other thing that can be implemented if you are Windows 8 or above is Credential Guard.
[33:15.550 --> 33:23.830]  And Credential Guard is taking that LSAS capability that stores those hashes and virtualizing it.
[33:23.830 --> 33:30.970]  So, if they take over that host, they're unable to pull any hashes that have been used on that machine.
[33:30.970 --> 33:41.150]  And that's very, very important because if a domain administrator has logged into that machine, that may not be the user that's currently logged in.
[33:41.150 --> 33:43.930]  The hash is still stored in LSAS.
[33:44.690 --> 33:54.710]  And that's very important because a lot of times domain admins or people with escalated privilege log into machines to fix a problem or to install software.
[33:54.710 --> 34:03.430]  Using Credential Guard allows you to virtualize that and keep that isolated from somebody who has compromised that local machine.
[34:04.930 --> 34:08.710]  And this fundamentally breaks Mimikatz.
[34:08.710 --> 34:14.430]  And like I said before, Mimikatz is the bread and butter for taking over Active Directory.
[34:15.270 --> 34:18.110]  You can also do AD segmentation.
[34:18.130 --> 34:24.130]  So, partitioning out where that information is going to live.
[34:24.130 --> 34:32.910]  Having domain controllers live within a completely separate domain, this completely separate force from where the data lives.
[34:32.930 --> 34:41.990]  So that way, when a user is ultimately compromised, what they're able to access and what they're able to view and what they're able to pull is extremely limited.
[34:42.190 --> 34:53.750]  Because again, designed for compromise, with all the threats that are out there and the change in the software, it's very hard, if not impossible, to keep up on everything and have everything patched.
[34:54.130 --> 34:59.370]  To a level that accounts for all of the new stuff that's out there.
[35:00.850 --> 35:15.230]  And so, what you effectively do is that you take your privileged accounts, your enterprise admins, your domain admins, and they live in a completely separate domain.
[35:15.230 --> 35:21.990]  Meaning that isolated domain controllers, isolated servers, isolated virtual environments.
[35:21.990 --> 35:34.970]  Because you can backdoor into Windows domain through, if you're using VMware, you can use VMware capability to get escalated rights within your domain control if it's virtualized and then take over the domain itself.
[35:34.970 --> 35:45.210]  So, you're really trying to draw a clear line between what your users can access and what can be accessed in a nefarious manner.
[35:48.190 --> 36:00.010]  And then, using Microsoft's suggested terminology, so they have their tiers where Tier 0 is your highest level, your forest domains, your enterprise domains.
[36:00.010 --> 36:10.650]  And those live separate and they can communicate within, but you don't talk down, right? So, you don't log in as a forest domain into a resource within a Tier 0.
[36:10.650 --> 36:22.890]  You can always escalate up, you never escalate down. And that's to keep those credentials isolated from any of those hosts that ultimately may become compromised, right?
[36:23.330 --> 36:34.270]  So, again, that idea that an enterprise domain or domain controller wouldn't log into an endpoint because that's going to be the first line of attack.
[36:36.640 --> 36:46.040]  And what are some of the standard stuff that ultimately lead to compromise is your access control list.
[36:46.040 --> 36:53.680]  So, users out there, your group membership, your help desk persons, never going to need to take over accounts, right?
[36:53.680 --> 37:00.020]  They may need to reset the password. Best practice would be to put something in between that, right?
[37:00.020 --> 37:06.640]  A service account that you would have heavily monitored that whenever it's used, it needs to be tied to a help desk ticket.
[37:06.640 --> 37:14.720]  Something that you can start to draw those parallels in your logging so you can understand anomalies that are happening.
[37:14.720 --> 37:24.020]  This one happens a lot where you have good isolation, you have a domain admin account, you have your exchange account, you have your user account.
[37:24.180 --> 37:31.700]  And there may be joe.admin, joe.exchange, joe.user, but the password's all password1.
[37:32.140 --> 37:38.620]  So, that one's going to get you. And again, it's all about not salting, so it's the same hash.
[37:38.620 --> 37:48.220]  So, if they have an administrator account with password1, it's going to be easily found because every other domain that has the same username and same password has the same exact hash.
[37:48.380 --> 37:59.040]  Service accounts. So, service accounts are meant to be targeted quote-unquote user accounts that you would create that execute a specific purpose.
[37:59.040 --> 38:02.520]  And that specific purpose needs to be locked down.
[38:10.070 --> 38:15.730]  Service accounts are created for a specific capability and it's just set it, forget it.
[38:15.730 --> 38:26.770]  And sometimes those passwords are shared among other service accounts, sometimes those passwords are written down, sometimes those passwords are default from the vendor.
[38:27.030 --> 38:29.330]  And elevated permissions on the workstation.
[38:29.330 --> 38:36.310]  So, again, that user logging into the machine with the elevated permissions, that goes to the internet, that checks their email.
[38:36.310 --> 38:45.050]  If they go to a nefariously crafted link or they download a bad file, that file is being ran under that user's permission.
[38:45.050 --> 38:55.450]  So, you really want to isolate that account to just what it should be doing, meaning that if it's a user, it's user rights.
[38:55.450 --> 39:03.570]  They have enough rights to log into the machine, to boot up whatever applications they need to boot up and nothing more.
[39:03.570 --> 39:13.790]  Anything that they need to do on top of that, say developers or whatnot, they should be elevating to another account to do that specific capability.
[39:14.210 --> 39:22.010]  And then application-wide listing. So, most of the time, your secretary's machine, never going to need to run PowerShell.
[39:22.010 --> 39:26.230]  You see PowerShell running on that box, it's a dead giveaway that something's wrong.
[39:26.230 --> 39:30.770]  Maybe on your developers, you have a little bit of leeway because they're doing other things.
[39:30.770 --> 39:40.430]  But you really need to understand who's out there, what are they doing on their machines, and only allowing the specific applications that you want them to allow.
[39:40.430 --> 39:50.310]  And in that instance, if they do download an application, let's just say they think they're downloading Spotify or Zoom and it's not what it's supposed to be.
[39:50.310 --> 39:59.010]  They execute that, it's not authorized to run, that binary never kicks off.
[39:59.450 --> 40:10.510]  And LAN hash. So, like I spoke to earlier in the presentation, LAN manager is an old way of hashing username and passwords.
[40:10.510 --> 40:14.310]  And it's very, very easy to crack. It takes really no processing time at all.
[40:15.050 --> 40:19.630]  It's only in place today for legacy applications.
[40:19.630 --> 40:25.310]  So, if you do have a legacy application out on your network, that thing probably has some issues as well.
[40:25.310 --> 40:29.530]  So, you really should identify why you need that enabled.
[40:29.670 --> 40:36.550]  If you do, identify why that thing still needs to be on the network, why that application still needs to be on the network.
[40:36.550 --> 40:46.270]  And probably look at some type of deployment plan to getting that on to a newer operating system or a different capability.
[40:46.270 --> 40:54.410]  Or maybe even a software as a service solution, so that way you really start to lower your risk to your network.
[40:54.790 --> 40:59.130]  And enumeration is understanding what's out there.
[40:59.750 --> 41:10.770]  If somebody who stood up that network put every single user in the domain admin rights group because that was the easiest thing to do, your risk is off the charts.
[41:10.770 --> 41:18.290]  So, you need to look at your groups, you need to look at your users on a pretty regular basis to make sure that nothing's changing.
[41:18.330 --> 41:36.730]  If you're in a position to be able to deploy new solutions or maybe even procure stuff, there's a lot of products out there that you could download open source or buy that can heavily monitor group membership and notify you of any changes.
[41:36.730 --> 41:39.750]  In some instances, they can even block it based on business rules.
[41:40.770 --> 41:43.610]  Volume shadow copy on domain controllers.
[41:44.050 --> 41:47.090]  You know, domain controllers themselves replicate within themselves.
[41:47.090 --> 41:54.950]  You don't need to do volume shadow copies of a file structure on your domain controller to another server.
[41:55.110 --> 41:57.010]  You just need to disable that.
[41:57.010 --> 42:02.470]  And if you do have a scenario which you need volume shadow copy, please reach out to me.
[42:02.470 --> 42:05.930]  I would love to understand that problem.
[42:05.930 --> 42:15.750]  What you're supposed to do with this whole file is essentially a shared member product that has your path files on it, that has some of your computer files on it.
[42:15.890 --> 42:20.930]  Understand who's reading that, who's pulling the information, and who has access.
[42:20.930 --> 42:28.650]  And monitor that with any type of logging capability and send you alerts as soon as something's out of the norm is done on that.
[42:30.070 --> 42:34.130]  If you can block peer-to-peer communication.
[42:34.130 --> 42:37.870]  End-user machine to end-user machine, you should.
[42:38.370 --> 42:44.990]  I understand that there's a lot of solutions out there that would require peer-to-peer capability.
[42:45.270 --> 42:57.170]  But if you can block the adversary from leapfrogging to other hosts, your peers that are generally less secure, you should do that.
[42:57.210 --> 43:01.290]  And then, of course, log, whitelist, and block if you can PowerShell.
[43:01.290 --> 43:03.810]  PowerShell is extremely powerful.
[43:04.130 --> 43:05.810]  You can do a lot of things with that.
[43:06.090 --> 43:10.210]  And again, I don't think the secretary would ever need to run a PowerShell script.
[43:10.570 --> 43:20.030]  And any of your developers that might, you would look to see what access they truly need and give them an account to do that in a very specific scenario.
[43:21.530 --> 43:25.190]  Alright, with that, that is my presentation. Thank you very much.
